How to assign Entra user User.Read.All and Group.Read.All from Graph Explorer
I'm getting the same error described in this post:
Microsoft Social Login Approval Required Popup but the context is i'm signing into graph explorer as "user1@mydomain.onmicrosoft.com" and I'm trying to create a specific subscription that needs User.Read.All and Group.Read.All. When i try to assign myself these permissions via Graph Explorer's consent button, I get the prompt that says I need permission and to specify a reason why i'm asking. Id like to get rid of this prompt.
my user consent settings look like this:
And my admin settings:
The two users allowed to review access requests are the only 2 users in this test tenant. Including the one I'm using to sign into graph.
Ideally, I would like to configure my tenant so that all users have user.read.all and group.read.all.
I've tried to check Entra->Applications->Graph->Permissions. I've tried to add User.Read.All and Group.Read.All there but i still can't create subscrpition that I need. Any tips would be appreciated.
Edit 1
In myparticular case, in order to get it working, I had to allow users to request access to the specific app.
Allow users to request access to this application?
Yes
Require approval before granting access to this application
No
And when I sign in as Global Admin into Explorer, I don't get the prompt to consent for all users.
'
But your suggestion to allow users to request access is what tipped me off so I'm going to accept the solution.
I have below option selected under User consent settings in my tenant:
In Admin consent settings, I enabled below option with Sri as reviewer to admin consent requests:
When I logged in to Graph Explorer with local user account and tried to consent User.Read.All permission, I too got "Approval required screen" as below:
To approve above consent request, sign in with reviewer account having Global Admin role and approve pending request like this:
When I tried to consent User.Read.All permission with local user account now, it worked and I'm able to list users successfully like this:
GET https://graph.microsoft.com/v1.0/users
Response:
If you want to get rid of "Approval required" screen while consenting permissions, disable below option by setting it to 'No':
To configure your tenant so that all users have User.Read.All and Group.Read.All permission, login to Graph Explorer with local user having Global Administrator role and make sure to consent permissions by checkmarking "Consent on behalf of your organization" option that won't ask normal users to consent again:
- How to resolve paging when retrieving data from REST API in R
- SearchService deployment fails if the resource exists
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Local development with Azure SignalR Service and Azure Functions
- Azure Functions & Application Insights requests "Operation Link" empty
- Disabling allow public blob access using terraform
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- How to build expression in ADF from json using parameterized variable?
- Reference a variable azure pipeline not working
- Graph Powershell adding a user to PIM for a privileged security group
- Indexing static HTML blob storage content with Azure Cognitive Search is not working as expected
- Azure python webapp deploy shows as running even though it is successful
- Azure pipeline get Pull request source and target branch name
- Error while copying Azure Storage table from one Storage to another storage table using Powershell script
- Azure Function App Fails to Delete Blob Image After Deployment
- Use Azure AD authentication but manage roles in database in .NET 6
- Microsoft Azure VMs IaaS or PaaS?
- Can an application property be updated/deleted from a ServiceBusReceivedMessage?
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- RPC failed: curl 56 failure when receiving data from the peer
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Reading Excel file returns 'Invalid Request' error
- Is it possible to clone an Azure Container App?
- Unable to Enable Encryption at host for Azure VM
- Application Insights does not capture information level logging
- How to look up logical partition count and size in Cosmos DB
- AzureRmWebAppDeployment@4 tries to deploy to a wrong URL to Linux app plan
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Why I can't create azurerm_app_service connection?